1. 14 4月, 2021 5 次提交
    • R
      ima: Introduce appraise_exec_tcb policy · 5ddc3553
      Roberto Sassu 提交于
      hulk inclusion
      category: feature
      feature: IMA Digest Lists extension
      bugzilla: 46797
      
      -------------------------------------------------
      
      This patch introduces a new hard-coded policy to appraise executable code:
      
      appraise func=MODULE_CHECK appraise_type=imasig
      appraise func=FIRMWARE_CHECK appraise_type=imasig
      appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
      appraise func=POLICY_CHECK appraise_type=imasig
      appraise func=DIGEST_LIST_CHECK appraise_type=imasig
      dont_appraise fsmagic=0x9fa0
      dont_appraise fsmagic=0x62656572
      dont_appraise fsmagic=0x64626720
      dont_appraise fsmagic=0x858458f6
      dont_appraise fsmagic=0x1cd1
      dont_appraise fsmagic=0x42494e4d
      dont_appraise fsmagic=0x73636673
      dont_appraise fsmagic=0xf97cff8c
      dont_appraise fsmagic=0x43415d53
      dont_appraise fsmagic=0x6e736673
      dont_appraise fsmagic=0xde5e81e4
      dont_appraise fsmagic=0x27e0eb
      dont_appraise fsmagic=0x63677270
      appraise func=BPRM_CHECK appraise_type=imasig
      appraise func=MMAP_CHECK appraise_type=imasig
      
      The new policy can be selected by specifying ima_policy=appraise_exec_tcb
      in the kernel command line.
      Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
      Reviewed-by: NJason Yan <yanaijie@huawei.com>
      Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
      5ddc3553
    • R
      ima: Introduce exec_tcb policy · c382b47e
      Roberto Sassu 提交于
      hulk inclusion
      category: feature
      feature: IMA Digest Lists extension
      bugzilla: 46797
      
      -------------------------------------------------
      
      This patch introduces a new hard-coded policy to measure executable code:
      
      dont_measure fsmagic=0x9fa0
      dont_measure fsmagic=0x62656572
      dont_measure fsmagic=0x64626720
      dont_measure fsmagic=0x1cd1
      dont_measure fsmagic=0x42494e4d
      dont_measure fsmagic=0x73636673
      dont_measure fsmagic=0xf97cff8c
      dont_measure fsmagic=0x43415d53
      dont_measure fsmagic=0x27e0eb
      dont_measure fsmagic=0x63677270
      dont_measure fsmagic=0x6e736673
      measure func=MMAP_CHECK mask=MAY_EXEC
      measure func=BPRM_CHECK mask=MAY_EXEC
      measure func=MODULE_CHECK
      measure func=FIRMWARE_CHECK
      measure func=POLICY_CHECK
      measure func=DIGEST_LIST_CHECK
      
      It can be selected by specifying ima_policy=exec_tcb in the kernel command
      line. Files in tmpfs are not excluded from measurement.
      Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
      Reviewed-by: NJason Yan <yanaijie@huawei.com>
      Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
      c382b47e
    • R
      ima: Add meta_immutable appraisal type · ab8c2a63
      Roberto Sassu 提交于
      hulk inclusion
      category: feature
      feature: IMA Digest Lists extension
      bugzilla: 46797
      
      -------------------------------------------------
      
      Currently, IMA supports the appraise_type=imasig option in the policy to
      require file signatures. This patch introduces the new option
      appraise_type=meta_immutable to require that file metadata are signed and
      immutable. This requirement can be satisfied by portable signatures and
      by digest lists if they are marked as immutable.
      
      The main purpose of this option is to ensure that file metadata are correct
      at the time of access, so that policies relying on labels can be correctly
      enforced. For example, requiring immutable metadata would prevent an
      administrator from altering the label assigned to a process during
      execve() by changing the label of the executable.
      Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
      Reviewed-by: NJason Yan <yanaijie@huawei.com>
      Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
      ab8c2a63
    • R
      ima: Add support for measurement with digest lists · 31604143
      Roberto Sassu 提交于
      hulk inclusion
      category: feature
      feature: IMA Digest Lists extension
      bugzilla: 46797
      
      -------------------------------------------------
      
      IMA-Measure creates a new measurement entry every time a file is measured,
      unless the same entry is already in the measurement list.
      
      This patch introduces a new type of measurement list, recognizable by the
      PCR number specified with the new ima_digest_list_pcr= kernel option. This
      type of measurement list includes measurements of digest lists and files
      not found in those lists.
      
      The benefit of this patch is the availability of a predictable PCR that
      can be used to seal data or TPM keys to the OS software. Unlike standard
      measurements, digest list measurements only indicate that files with a
      digest in those lists could have been accessed, but not if and when. With
      standard measurements, however, the chosen PCR is unlikely predictable.
      
      Both standard and digest list measurements can be generated at the same
      time by adding '+' as a prefix to the value of ima_digest_list_pcr=
      (example: with ima_digest_list_pcr=+11, IMA generates standard measurements
      with PCR 10 and digest list measurements with PCR 11).
      Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
      Reviewed-by: NJason Yan <yanaijie@huawei.com>
      Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
      31604143
    • R
      ima: Introduce new hook DIGEST_LIST_CHECK · a810bfd8
      Roberto Sassu 提交于
      hulk inclusion
      category: feature
      feature: IMA Digest Lists extension
      bugzilla: 46797
      
      -------------------------------------------------
      
      This patch introduces a new hook called DIGEST_LIST_CHECK to measure
      and appraise digest lists in addition to executables and shared libraries,
      without including the FILE_CHECK hook in the IMA policy.
      Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
      Reviewed-by: NJason Yan <yanaijie@huawei.com>
      Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
      a810bfd8
  2. 05 10月, 2020 1 次提交
  3. 15 9月, 2020 1 次提交
  4. 09 9月, 2020 1 次提交
  5. 01 9月, 2020 2 次提交
    • T
      ima: Fail rule parsing when asymmetric key measurement isn't supportable · 48ce1ddc
      Tyler Hicks 提交于
      Measuring keys is currently only supported for asymmetric keys. In the
      future, this might change.
      
      For now, the "func=KEY_CHECK" and "keyrings=" options are only
      appropriate when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Make
      this clear at policy load so that IMA policy authors don't assume that
      these policy language constructs are supported.
      
      Fixes: 2b60c0ec ("IMA: Read keyrings= option from the IMA policy")
      Fixes: 5808611c ("IMA: Add KEY_CHECK func to measure keys")
      Suggested-by: NNayna Jain <nayna@linux.ibm.com>
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Reviewed-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Reviewed-by: NNayna Jain <nayna@linux.ibm.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      48ce1ddc
    • T
      ima: Pre-parse the list of keyrings in a KEY_CHECK rule · 176377d9
      Tyler Hicks 提交于
      The ima_keyrings buffer was used as a work buffer for strsep()-based
      parsing of the "keyrings=" option of an IMA policy rule. This parsing
      was re-performed each time an asymmetric key was added to a kernel
      keyring for each loaded policy rule that contained a "keyrings=" option.
      
      An example rule specifying this option is:
      
       measure func=KEY_CHECK keyrings=a|b|c
      
      The rule says to measure asymmetric keys added to any of the kernel
      keyrings named "a", "b", or "c". The size of the buffer size was
      equal to the size of the largest "keyrings=" value seen in a previously
      loaded rule (5 + 1 for the NUL-terminator in the previous example) and
      the buffer was pre-allocated at the time of policy load.
      
      The pre-allocated buffer approach suffered from a couple bugs:
      
      1) There was no locking around the use of the buffer so concurrent key
         add operations, to two different keyrings, would result in the
         strsep() loop of ima_match_keyring() to modify the buffer at the same
         time. This resulted in unexpected results from ima_match_keyring()
         and, therefore, could cause unintended keys to be measured or keys to
         not be measured when IMA policy intended for them to be measured.
      
      2) If the kstrdup() that initialized entry->keyrings in ima_parse_rule()
         failed, the ima_keyrings buffer was freed and set to NULL even when a
         valid KEY_CHECK rule was previously loaded. The next KEY_CHECK event
         would trigger a call to strcpy() with a NULL destination pointer and
         crash the kernel.
      
      Remove the need for a pre-allocated global buffer by parsing the list of
      keyrings in a KEY_CHECK rule at the time of policy load. The
      ima_rule_entry will contain an array of string pointers which point to
      the name of each keyring specified in the rule. No string processing
      needs to happen at the time of asymmetric key add so iterating through
      the list and doing a string comparison is all that's required at the
      time of policy check.
      
      In the process of changing how the "keyrings=" policy option is handled,
      a couple additional bugs were fixed:
      
      1) The rule parser accepted rules containing invalid "keyrings=" values
         such as "a|b||c", "a|b|", or simply "|".
      
      2) The /sys/kernel/security/ima/policy file did not display the entire
         "keyrings=" value if the list of keyrings was longer than what could
         fit in the fixed size tbuf buffer in ima_policy_show().
      
      Fixes: 5c7bac9f ("IMA: pre-allocate buffer to hold keyrings string")
      Fixes: 2b60c0ec ("IMA: Read keyrings= option from the IMA policy")
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Reviewed-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Reviewed-by: NNayna Jain <nayna@linux.ibm.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      176377d9
  6. 24 8月, 2020 1 次提交
  7. 21 7月, 2020 7 次提交
  8. 17 7月, 2020 7 次提交
    • T
      ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond · eb624fe2
      Tyler Hicks 提交于
      The KEY_CHECK function only supports the uid, pcr, and keyrings
      conditionals. Make this clear at policy load so that IMA policy authors
      don't assume that other conditionals are supported.
      
      Fixes: 5808611c ("IMA: Add KEY_CHECK func to measure keys")
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Reviewed-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      eb624fe2
    • T
      ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond · db2045f5
      Tyler Hicks 提交于
      The KEXEC_CMDLINE hook function only supports the pcr conditional. Make
      this clear at policy load so that IMA policy authors don't assume that
      other conditionals are supported.
      
      Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned
      true on any loaded KEXEC_CMDLINE rule without any consideration for
      other conditionals present in the rule. Make it clear that pcr is the
      only supported KEXEC_CMDLINE conditional by returning an error during
      policy load.
      
      An example of why this is a problem can be explained with the following
      rule:
      
       dont_measure func=KEXEC_CMDLINE obj_type=foo_t
      
      An IMA policy author would have assumed that rule is valid because the
      parser accepted it but the result was that measurements for all
      KEXEC_CMDLINE operations would be disabled.
      
      Fixes: b0935123 ("IMA: Define a new hook to measure the kexec boot command line arguments")
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Reviewed-by: NMimi Zohar <zohar@linux.ibm.com>
      Reviewed-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      db2045f5
    • T
      ima: Fail rule parsing when buffer hook functions have an invalid action · 71218343
      Tyler Hicks 提交于
      Buffer based hook functions, such as KEXEC_CMDLINE and KEY_CHECK, can
      only measure. The process_buffer_measurement() function quietly ignores
      all actions except measure so make this behavior clear at the time of
      policy load.
      
      The parsing of the keyrings conditional had a check to ensure that it
      was only specified with measure actions but the check should be on the
      hook function and not the keyrings conditional since
      "appraise func=KEY_CHECK" is not a valid rule.
      
      Fixes: b0935123 ("IMA: Define a new hook to measure the kexec boot command line arguments")
      Fixes: 5808611c ("IMA: Add KEY_CHECK func to measure keys")
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      71218343
    • T
      ima: Free the entire rule if it fails to parse · 2bdd737c
      Tyler Hicks 提交于
      Use ima_free_rule() to fix memory leaks of allocated ima_rule_entry
      members, such as .fsname and .keyrings, when an error is encountered
      during rule parsing.
      
      Set the args_p pointer to NULL after freeing it in the error path of
      ima_lsm_rule_init() so that it isn't freed twice.
      
      This fixes a memory leak seen when loading an rule that contains an
      additional piece of allocated memory, such as an fsname, followed by an
      invalid conditional:
      
       # echo "measure fsname=tmpfs bad=cond" > /sys/kernel/security/ima/policy
       -bash: echo: write error: Invalid argument
       # echo scan > /sys/kernel/debug/kmemleak
       # cat /sys/kernel/debug/kmemleak
       unreferenced object 0xffff98e7e4ece6c0 (size 8):
         comm "bash", pid 672, jiffies 4294791843 (age 21.855s)
         hex dump (first 8 bytes):
           74 6d 70 66 73 00 6b a5                          tmpfs.k.
         backtrace:
           [<00000000abab7413>] kstrdup+0x2e/0x60
           [<00000000f11ede32>] ima_parse_add_rule+0x7d4/0x1020
           [<00000000f883dd7a>] ima_write_policy+0xab/0x1d0
           [<00000000b17cf753>] vfs_write+0xde/0x1d0
           [<00000000b8ddfdea>] ksys_write+0x68/0xe0
           [<00000000b8e21e87>] do_syscall_64+0x56/0xa0
           [<0000000089ea7b98>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: f1b08bbc ("ima: define a new policy condition based on the filesystem name")
      Fixes: 2b60c0ec ("IMA: Read keyrings= option from the IMA policy")
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      2bdd737c
    • T
      ima: Free the entire rule when deleting a list of rules · 465aee77
      Tyler Hicks 提交于
      Create a function, ima_free_rule(), to free all memory associated with
      an ima_rule_entry. Use the new function to fix memory leaks of allocated
      ima_rule_entry members, such as .fsname and .keyrings, when deleting a
      list of rules.
      
      Make the existing ima_lsm_free_rule() function specific to the LSM
      audit rule array of an ima_rule_entry and require that callers make an
      additional call to kfree to free the ima_rule_entry itself.
      
      This fixes a memory leak seen when loading by a valid rule that contains
      an additional piece of allocated memory, such as an fsname, followed by
      an invalid rule that triggers a policy load failure:
      
       # echo -e "dont_measure fsname=securityfs\nbad syntax" > \
          /sys/kernel/security/ima/policy
       -bash: echo: write error: Invalid argument
       # echo scan > /sys/kernel/debug/kmemleak
       # cat /sys/kernel/debug/kmemleak
       unreferenced object 0xffff9bab67ca12c0 (size 16):
         comm "bash", pid 684, jiffies 4295212803 (age 252.344s)
         hex dump (first 16 bytes):
           73 65 63 75 72 69 74 79 66 73 00 6b 6b 6b 6b a5  securityfs.kkkk.
         backtrace:
           [<00000000adc80b1b>] kstrdup+0x2e/0x60
           [<00000000d504cb0d>] ima_parse_add_rule+0x7d4/0x1020
           [<00000000444825ac>] ima_write_policy+0xab/0x1d0
           [<000000002b7f0d6c>] vfs_write+0xde/0x1d0
           [<0000000096feedcf>] ksys_write+0x68/0xe0
           [<0000000052b544a2>] do_syscall_64+0x56/0xa0
           [<000000007ead1ba7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: f1b08bbc ("ima: define a new policy condition based on the filesystem name")
      Fixes: 2b60c0ec ("IMA: Read keyrings= option from the IMA policy")
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      465aee77
    • T
      ima: Have the LSM free its audit rule · 9ff8a616
      Tyler Hicks 提交于
      Ask the LSM to free its audit rule rather than directly calling kfree().
      Both AppArmor and SELinux do additional work in their audit_rule_free()
      hooks. Fix memory leaks by allowing the LSMs to perform necessary work.
      
      Fixes: b1694245 ("ima: use the lsm policy update notifier")
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Cc: Janne Karhunen <janne.karhunen@gmail.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Reviewed-by: NMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      9ff8a616
    • L
      IMA: Add audit log for failure conditions · 34e980bb
      Lakshmi Ramasubramanian 提交于
      process_buffer_measurement() and ima_alloc_key_entry() functions need to
      log an audit message for auditing integrity measurement failures.
      
      Add audit message in these two functions. Remove "pr_devel" log message
      in process_buffer_measurement().
      
      Sample audit messages:
      
      [    6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12
      
      [    8.019432] audit: type=1804 audit(1592506283.344:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=measuring_kexec_cmdline cause=hashing_error comm="systemd" name="kexec-cmdline" res=0 errno=-22
      Signed-off-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Suggested-by: NMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      34e980bb
  9. 04 6月, 2020 1 次提交
    • R
      ima: Directly assign the ima_default_policy pointer to ima_rules · 067a436b
      Roberto Sassu 提交于
      This patch prevents the following oops:
      
      [   10.771813] BUG: kernel NULL pointer dereference, address: 0000000000000
      [...]
      [   10.779790] RIP: 0010:ima_match_policy+0xf7/0xb80
      [...]
      [   10.798576] Call Trace:
      [   10.798993]  ? ima_lsm_policy_change+0x2b0/0x2b0
      [   10.799753]  ? inode_init_owner+0x1a0/0x1a0
      [   10.800484]  ? _raw_spin_lock+0x7a/0xd0
      [   10.801592]  ima_must_appraise.part.0+0xb6/0xf0
      [   10.802313]  ? ima_fix_xattr.isra.0+0xd0/0xd0
      [   10.803167]  ima_must_appraise+0x4f/0x70
      [   10.804004]  ima_post_path_mknod+0x2e/0x80
      [   10.804800]  do_mknodat+0x396/0x3c0
      
      It occurs when there is a failure during IMA initialization, and
      ima_init_policy() is not called. IMA hooks still call ima_match_policy()
      but ima_rules is NULL. This patch prevents the crash by directly assigning
      the ima_default_policy pointer to ima_rules when ima_rules is defined. This
      wouldn't alter the existing behavior, as ima_rules is always set at the end
      of ima_init_policy().
      
      Cc: stable@vger.kernel.org # 3.7.x
      Fixes: 07f6a794 ("ima: add appraise action keywords and default rules")
      Reported-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      067a436b
  10. 08 5月, 2020 2 次提交
  11. 29 2月, 2020 1 次提交
  12. 23 1月, 2020 4 次提交
  13. 12 12月, 2019 3 次提交
    • L
      IMA: Read keyrings= option from the IMA policy · 2b60c0ec
      Lakshmi Ramasubramanian 提交于
      Read "keyrings=" option, if specified in the IMA policy, and store in
      the list of IMA rules when the configured IMA policy is read.
      
      This patch defines a new policy token enum namely Opt_keyrings
      and an option flag IMA_KEYRINGS for reading "keyrings=" option
      from the IMA policy.
      
      Updated ima_parse_rule() to parse "keyrings=" option in the policy.
      Updated ima_policy_show() to display "keyrings=" option.
      
      The following example illustrates how key measurement can be verified.
      
      Sample "key" measurement rule in the IMA policy:
      
      measure func=KEY_CHECK uid=0 keyrings=.ima|.evm template=ima-buf
      
      Display "key" measurement in the IMA measurement list:
      
      cat /sys/kernel/security/ima/ascii_runtime_measurements
      
      10 faf3...e702 ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 308202863082...4aee
      
      Verify "key" measurement data for a key added to ".ima" keyring:
      
      cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep -m 1 "\.ima" | cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' ' -f 1
      
      The output of the above command should match the template hash
      of the first "key" measurement entry in the IMA measurement list for
      the key added to ".ima" keyring.
      
      The file namely "ima-cert.der" generated by the above command
      should be a valid x509 certificate (in DER format) and should match
      the one that was used to import the key to the ".ima" keyring.
      The certificate file can be verified using openssl tool.
      Signed-off-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      2b60c0ec
    • L
      IMA: Add support to limit measuring keys · e9085e0a
      Lakshmi Ramasubramanian 提交于
      Limit measuring keys to those keys being loaded onto a given set of
      keyrings only and when the user id (uid) matches if uid is specified
      in the policy.
      
      This patch defines a new IMA policy option namely "keyrings=" that
      can be used to specify a set of keyrings. If this option is specified
      in the policy for "measure func=KEY_CHECK" then only the keys
      loaded onto a keyring given in the "keyrings=" option are measured.
      
      If uid is specified in the policy then the key is measured only if
      the current user id matches the one specified in the policy.
      
      Added a new parameter namely "keyring" (name of the keyring) to
      process_buffer_measurement(). The keyring name is passed to
      ima_get_action() to determine the required action.
      ima_match_rules() is updated to check keyring in the policy, if
      specified, for KEY_CHECK function.
      Signed-off-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      e9085e0a
    • L
      IMA: Add KEY_CHECK func to measure keys · 5808611c
      Lakshmi Ramasubramanian 提交于
      Measure keys loaded onto any keyring.
      
      This patch defines a new IMA policy func namely KEY_CHECK to
      measure keys. Updated ima_match_rules() to check for KEY_CHECK
      and ima_parse_rule() to handle KEY_CHECK.
      Signed-off-by: NLakshmi Ramasubramanian <nramas@linux.microsoft.com>
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      5808611c
  14. 10 12月, 2019 1 次提交
  15. 12 11月, 2019 1 次提交
    • N
      ima: Check against blacklisted hashes for files with modsig · 273df864
      Nayna Jain 提交于
      Asymmetric private keys are used to sign multiple files. The kernel
      currently supports checking against blacklisted keys. However, if the
      public key is blacklisted, any file signed by the blacklisted key will
      automatically fail signature verification. Blacklisting the public key
      is not fine enough granularity, as we might want to only blacklist a
      particular file.
      
      This patch adds support for checking against the blacklisted hash of
      the file, without the appended signature, based on the IMA policy. It
      defines a new policy option "appraise_flag=check_blacklist".
      
      In addition to the blacklisted binary hashes stored in the firmware
      "dbx" variable, the Linux kernel may be configured to load blacklisted
      binary hashes onto the .blacklist keyring as well. The following
      example shows how to blacklist a specific kernel module hash.
      
        $ sha256sum kernel/kheaders.ko
        77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
        kernel/kheaders.ko
      
        $ grep BLACKLIST .config
        CONFIG_SYSTEM_BLACKLIST_KEYRING=y
        CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
      
        $ cat certs/blacklist-hash-list
        "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
      
      Update the IMA custom measurement and appraisal policy
      rules (/etc/ima-policy):
      
        measure func=MODULE_CHECK template=ima-modsig
        appraise func=MODULE_CHECK appraise_flag=check_blacklist
        appraise_type=imasig|modsig
      
      After building, installing, and rebooting the kernel:
      
         545660333 ---lswrv      0     0   \_ blacklist:
        bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
      
        measure func=MODULE_CHECK template=ima-modsig
        appraise func=MODULE_CHECK appraise_flag=check_blacklist
        appraise_type=imasig|modsig
      
        modprobe: ERROR: could not insert 'kheaders': Permission denied
      
        10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
        sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
        2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
      
        10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
        sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
        2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko  sha256:77fa889b3
        5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
        3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
        016503040201300b06092a864886f70d01070131820264....
      
        10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
        sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
        b blacklisted-hash
        77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
      Signed-off-by: NNayna Jain <nayna@linux.ibm.com>
      [zohar@linux.ibm.com: updated patch description]
      Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com
      273df864
  16. 20 8月, 2019 1 次提交
    • M
      kexec: Allow kexec_file() with appropriate IMA policy when locked down · 29d3c1c8
      Matthew Garrett 提交于
      Systems in lockdown mode should block the kexec of untrusted kernels.
      For x86 and ARM we can ensure that a kernel is trustworthy by validating
      a PE signature, but this isn't possible on other architectures. On those
      platforms we can use IMA digital signatures instead. Add a function to
      determine whether IMA has or will verify signatures for a given event type,
      and if so permit kexec_file() even if the kernel is otherwise locked down.
      This is restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set
      in order to prevent an attacker from loading additional keys at runtime.
      Signed-off-by: NMatthew Garrett <mjg59@google.com>
      Acked-by: NMimi Zohar <zohar@linux.ibm.com>
      Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
      Cc: linux-integrity@vger.kernel.org
      Signed-off-by: NJames Morris <jmorris@namei.org>
      29d3c1c8
  17. 06 8月, 2019 1 次提交